Low and slow DDoS attacks targeting critical services can cause serious problems. In low and slow DDoS attacks, computer criminals mimic legitimate client behavior by sending proper-looking requests via compromised and commandeered hosts. These low and slow DDoS attacks exploit the fact that many Internet servers have “open clientele” (i.e., they cannot tell a good client from the request alone), and force the victim server to spend much of its resources on spurious requests. The main properties of low and slow DDoS attacks are: (1) they are large scale, since the attacks can be launched from a large number of bots, and (2) they are stealthy (i.e., low volume), since the attack traffic is undetectable using browser fingerprinting, as the attack requests are generated from legitimate browsers (e.g., using man-in-the-browser malware), are undetectable at the server level since individual attack flow looks legitimate, and are undetectable at the network level since the flow volume is small.
Thus, what are still needed in the art are improved multiple detector methods and systems for defeating low and slow application DDoS attacks.